EAP identity privacy is provided by certain EAP methods where an empty or an anonymous identity (different from the actual identity) is sent in response to the EAP identity request. PEAP method sends the identity twice during the authentication. In the 1st phase the identity is sent in plain text and this identity will be used for routing purposes and not for client authentication. The real identity is sent within a secure tunnel (established in the 1st phase) during the 2nd phase of the authentication.
Support for Identity Privacy in Protected EAP (PEAP) method is introduced in Windows 7. The PEAP identity that is sent in 1st phase is configurable in the “Protected EAP Properties” dialog.
If the “Enable Identity Privacy” checkbox is checked then the username in the real identity is replaced with the text in the textbox. If the real identity is firstname.lastname@example.org, “Enable Identity Privacy” checkbox is checked and the textbox contains “anonymous” then the identity sent in 1st phase will be email@example.com. The realm portion of the 1st phase identity will not be modified as it is used for routing purposes.
Network policy server (NPS) is sending EAP-failure immediately after sending the identity response
If the NPS policy is created in the “Network Policies” then identity privacy doesn’t work. The NPS policy has to be created in the “Connection Request Policy”.